The General Data Protection Regulation (GDPR) will apply from 25 May 2018. It will significantly change and update the data protection regime in the UK.
Human Resources teams deal with personal data on a daily basis; and play an integral role in how it is treated by others. It is therefore essential that HR understand and comply with the new regime, not least because there will be increased penalties for non-compliance, including fines of up to Euro 20 million or 4% of global turnover. Claims by individuals for compensation will also become significantly easier.
While the GDPR seeks to bring uniformity across EU member states, it does permit individual member states to introduce their own laws specific to the processing of ’employee data’. Employers operating across jurisdictions will therefore need to ensure they are aware of any domestic legislation in relevant member states, imposing additional or alternative rules for handling of employee data.
Key areas of impact for HR
The GDPR will require a business to undertake a complete review of how it obtains and processes personal data, HR will need to work closely with other stakeholders, such as compliance, legal, marketing and IT, towards achieving compliance. Some organisations also may be required to appoint a Data Protection Officer.
Key areas of impact for HR include:
1. Legal basis for processing and consent
The current legal bases which are used to justify collecting and processing personal data are changing under the GDPR.
Currently, many employers seek to justify processing of personal data on the basis of employee consent; albeit that this approach has been increasingly criticised given the subordinate employer-employee relationship, leads to doubts as to whether consent can be freely given.
Under the GDPR, there are stricter requirements for consent – it must be clearly distinguishable from other matters, in an intelligible and easily accessible form, and must be as easy to withdraw as to provide. Separate consent must be sought for separate processing activities. Of particular note for employers, the GDPR contains an express requirement that consent is ‘freely given’.
Consequently, relying on consent alone is likely to become problematic in many instances and employers will need to determine if they can rely on one of the other grounds for processing that exist under the GDPR in respect of each type of personal data/processing which they undertake.
2. Greater transparency and privacy notices
The GDPR requires increased transparency in informing individuals about when (and why) their data is collected, processed and transferred.
The information required by the GDPR includes informing individuals: how long data will be stored for; if data will be transferred to other countries; and information on an individual’s rights under the GDPR (see below for more on these rights, some of which are new).
In updating privacy notices to comply with the GDPR requirements, employers should note that they must also be concise, transparent and intelligible, in an easily accessible form and drafted using clear and plain language.
3. Data sharing
Under the GDPR, the relationship between parties who share data between themselves will become more heavily regulated. If you share personal data with third parties (such as payroll companies) then you must have a GDPR-compliant data sharing agreement in place. Consequently, you should review, and possibly amend, your contractual relationships with all those with whom you share data to ensure that they meet these new requirements.
4. Rights of individuals
The GDPR builds on existing rights of individuals and contains numerous new rights. Individuals will have wider rights of access to their personal data (the £10 fee for subject access requests is abolished and employers must generally comply with a request within one month, compared to the current 40 days), and any inaccuracies in personal data must be rectified without undue delay.
There is a new right to have personal data erased where the data is no longer required, where consent is withdrawn or if the processing is unlawful. This accompanies a similar right to restrict processing where the accuracy of the data is contested (which might be the case where a worker disputes their performance review or the outcome of a disciplinary or grievance procedure) or the processing is unlawful.
These changes should be addressed in policies and procedures and training implemented to ensure managers identify any such requests and the process for dealing with them. HR should also be prepared for these new rights to potentially be used tactically in employment disputes, in the same way that subject access requests are at present often raised as a precursor to litigation.
5. New breach notification requirement
The GDPR imposes a new mandatory breach reporting requirement. In the UK, ‘personal data breaches’ must be reported to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach poses a high risk to the rights and freedoms of individuals, those individuals will also have to be notified.
A personal data breach is defined quite widely to include ‘a breach of security leading to the accidental or unlawful destruction, loss alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
Incidents in the employment context which might trigger a requirement to notify include a laptop or file left on a train or an email containing HR information sent to an incorrect address. However, a breach does not have to be notified to the ICO if it is unlikely to result in risk for the rights and freedoms of individuals e.g. the personal data on the lost laptop is protected by robust encryption.
Again, processes should be implemented to address any need to notify and also mitigate any associated risks. Training employees to ensure they know to alert the business to any potential breach will be critical.
As well as addressing the above requirements, it is important to appreciate that the GDPR will require on-going processes to demonstrate compliance – keeping on top of record-keeping and data retention in particular will be key. Employers are likely to see an increase in the use of technology in HR processes and decision-making – any new processes introduced will need to be carefully designed in line with the GDPR requirements.
The GDPR brings a sea change in data protection compliance and a new cultural regime. The areas highlighted above are simply some of the key considerations for HR. You can read our fuller guide here and our checklist of key questions your business should be asking now here.
With 12 months to go, HR must give careful consideration now to:
• what personal data they obtain, how they currently process it and how long they retain it;
• the changes they will need to make in light of the GDPR, particularly where there has been a reliance on consent; and
• the record-keeping and employment documentation, including privacy notices and policies and procedures which will be needed, together with the necessary training regime, to ensure on-going compliance.